Jump to content
Welcome to our new Citrix community!

HTTP Status 404- Not Found


Alfredo Vazquez

Recommended Posts

Hi,

I have configured SSLVPN Split tunnel created a LOCAL AAA user and I am able to access all my resources just fine login with the LOCAL AAA User but when I switch to authenticate using LDAP on the browser I will get a HTTP Status 404- Not Found after entering my Active Directory username and password, I have other VIPs going to the Stores working correctly using LDAP, The only difference is that I didn't configure STAs on my new VIP cause I just want to have it as a SSLVPN Split tunnel and access all my resources.

Please advice

Link to comment
Share on other sites

There's not enough info to fully troubleshoot.  But here's a start:

 

Since you are mentioning both STA and split tunnel, I'm assuming you have both a vpn vserver and your AAA in the above is just a reference to the aaa user/aaa groups for gateway access and not a reference to an authentication vserver.

 

So, your session policy(ies) on your vpn vserver determines whether you are in ICAProxy mode or vpn tunnel mode.

You can have multiple users on the same vpn vserver get different settings.

This will be determined either by policies on the vpn vserver OR policies applied to the AAA user or AAA group.

 

ICAProxy configs allow users to access resources via Gateway in a CVAD/XD environment and require communication with the SToreFront Store and a seto STA servers, plus access to any potential VDA you will connect to.  The client only requires the ICA Client (Citrix Receiver or Workspace App) and this does not usually use a full vpn connection.

 

The vpn connection however requires the vpn client and can be done in split tunnel:ON or OFF mode.  Split Tunnel has not impact on ICA Proxy and STA's are not needed for vpn connections.

 

So, its hard to understand what you are trying to do above.  But you could share your authentication details, and your session profile details and policy bindings for more specific troubleshooting.

 

1)  A typical ICA Proxy only session profile has settings such as:

ICAProxy:ON

StoreFront:  https://<storefront fqdn>/Citrix/<storeName>

SSON: Domain

Client Choices: OFF

And possibly an Session Profile setting for authorization ALLOW or explicit authorization policies providing access to an appropriate list of destination IPs and ports.

Session policy can be applied to AAA User or AAA Group (if using classic engine, priority must be more important than vpn vserver policy priorities if in conflict)

 

2) A typical VPN only policy

Would usually have ICA Proxy: OFF and no storefront store specified.

This would then include the vpn vserver settings, the split tunnel behavior.

 

For split tunnel ON, you must also assign Intranet Apps aka the networks to intercept for split tunnel. These can be assigned to the vpn vserver or to the AAA group/AAA User.

In addition, for any networks the vpn will tunnel to a user will need authorization policies (usually based on destination network/destination ports) to override default deny authorization settings.

For a vpn vserver with mixed user modes (vpn and Ica proxy), its important to make sure you don't give vpn users broader access to internal networks than intended.

 

To troubleshoot your above issue:

1)  During the authentication behavior, are you using LDAP with Group Extraction and do you have the proper AAA Group names created on the gateway to assign policies too or are you managing via aaa users instead based on external authentication (these are all settings).

1a)So first you need to make sure the aaa user/aaa group settings are correct and that the authentication policy is doing what it needs to do.

You can view the aaad.debug for authentication troubleshooting (shell; cd /tmp; cat aaad.debug and view the authentication output for the AD account you are having issues with. This can help identify if it is a user issue or a authentication policy issue; aaad.debug doesn't output for local account authentication.)

1b)Then you need to make sure that the right policies are applied at the user/group level.  Do you have the right session policy defined, the right authorization settings defined, and for split tunnel, do you also have intranet apps defined.

1c) you can test the vpn access via an alternate local user if you want to narrow down whether it is a authentication policy problem or a policy issue

 

2) If the authentication is good, then its a matter of breaking down the session policy/authorization requirements you need for StoreFront/CVAD access and then separately define the session policy/authorization/intranet apps, for your vpn/split tunnel behavior.

 

 

 

 

 

 

Link to comment
Share on other sites

Hi Rhonda,

To troubleshoot your above issue:

1)  During the authentication behavior, are you using LDAP with Group Extraction and do you have the proper AAA Group names created on the gateway to assign policies too or are you managing via aaa users instead based on external authentication (these are all settings).

I am using LDAP with Group Extraction, configured a AAA group but noticed that when applying AAA group will get this message:  "Error: Not a privileged user".

1a)So first you need to make sure the aaa user/aaa group settings are correct and that the authentication policy is doing what it needs to do.

You can view the aaad.debug for authentication troubleshooting (shell; cd /tmp; cat aaad.debug and view the authentication output for the AD account you are having issues with. This can help identify if it is a user issue or a authentication policy issue; aaad.debug doesn't output for local account authentication.)

Running the debug shows: User authentication (Bind event) for user jdoe succeeded.

If I use a locally configure AAA user I can access my whole network(it works fine).

1b)Then you need to make sure that the right policies are applied at the user/group level.  Do you have the right session policy defined, the right authorization settings defined, and for split tunnel, do you also have intranet apps defined.

I have the right session policies, authorization, split tunnel and intranet apps defined. 

1c) you can test the vpn access via an alternate local user if you want to narrow down whether it is a authentication policy problem or a policy issue

It works using a local AAA user account just fine

2) If the authentication is good, then its a matter of breaking down the session policy/authorization requirements you need for StoreFront/CVAD access and then separately define the session policy/authorization/intranet apps, for your vpn/split tunnel behavior. 

I configured last year 2 VIPS which have STA and VDA with LDAP group extraction and works fine. This new SSLVPN Split tunnel not working, I also run this command and it's hitting the correct policies.  nsconmsg –d current –g pol_hits.

Is there anything else to check or any other debug to run to see the whole process?.

I have configure split tunnel SSLVPN on my test environment before and worked, not sure why it doesn't work as I follow the same steps. I have read different docs on how to configure my split tunnel SSLVPN and looks fine.

 

Link to comment
Share on other sites

3 hours ago, Alfredo Vazquez said:

I am using LDAP with Group Extraction, configured a AAA group but noticed that when applying AAA group will get this message:  "Error: Not a privileged user".

 

This right here means you have no authorization ALLOW settings being applied to the user either at the AAA user, AAA group or vpn vserver level policies.

This is a deny authorization. Traffic via vpn will be blocked.

If you are relying on group extraction, you must assign an authorization ALLOW policy either with a true expression or a specific set of ip/netmaks and/or port combinatinos to allow access to the networks you want including the frontend VIP networks as well and backend destinations.

Or you have to set the Default Authorization Action: Allow via a session policy to the user/group or vpn vserver.

 

If the authorization policy is set at the group, then make sure the a) the policy is doing group extraction properly AND b) the group name on the ADC matches the group in AD.

 

So the fact that it works for the LOCAL account but not the EXTERNAL account, means you do not have authorization set for the members of the EXTERNAL AAA users or AAA group.

 

3 hours ago, Alfredo Vazquez said:

I configured last year 2 VIPS which have STA and VDA with LDAP group extraction and works fine. This new SSLVPN Split tunnel not working, I also run this command and it's hitting the correct policies. 

 

For this one, I don't know how else to explain it.

STA's are only in use for the ICA Proxy config for integration with Storefront.  They have no use in a vpn connection.

And Split Tunnel only affects connections with the vpn client and has no impact on any ICA Proxy config.

 

You can have a vpn vserver that does both connections at the same time. But ICA Proxy is a reciever to gateway to storefront, the STA redemption, and then the receiver to gateway to vda destination, using the Citrix Receiver/workspace app only and Split Tunnel is not performed.

 

If Split Tunnel is in use, then your user must be doing a full vpn connection with a vpn client. 

During split tunnel, the vpn client (gateway plugin) only intercepts the networks specified in the intranet apps and sends the matching traffic to the gateway to make ALLOW/DENY decisions based on the authorization policies/session policies set.

Any client network request not part of Split Tunnel network, is not intercepted allowing the endpoint device to do corporate network vpn (via split tunnel) and non-corporate network activities at same time.

 

If your gateway vpn vserver is doing both ICA Proxy and vpn vserve at the same time, you need ot separarte the troubleshooting for the user into ICA Proxy stuff and then vpn stuff, to figure out the issue(s) as it sounds like you have multiple things.

 

To proceed:

1) Isolate your external user test to Ica proxy or the vpn connection only to begin.

2) Do the authentication and confirm the authorization for the external accounts are being applied properly (by user, by group, or by the vpn vserver you are on)

3) Then resolve any ica proxy config issues.

Afterwards repeat test for the vpn vserver as different authorization policies may be required for the two types of connectivity.

 

 

 

 

 

 

 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...